How South Korea turned an urban planning system into a virus tracking database

When a man in Seoul tested positive for the new coronavirus in May, South Korean authorities were able to confirm his wide-ranging movements in and outside the city in minutes, including five bars and clubs he visited on a recent night out.

The fast response — well ahead of many other countries facing outbreaks — was the result of merging South Korea’s already advanced methods of collecting information and tracking the virus into a new data sharing system that patches together cellphone location data and credit card records.

The Epidemic Investigation Support System (EISS), introduced in late March, effectively removed technological barriers to sharing that information between authorities, by building on the country’s ‘Smart City’ data system.

That platform was originally designed to let local authorities share urban planning information, from population to traffic and pollution, by uploading data in Excel spreadsheets and other formats. Now it forms the foundation for a data clearing house that has turbocharged South Korea’s response to the virus.

While personal location and credit card data has been available for use by South Korean health investigators for years, previous systems required physical paperwork to request the data before it was uploaded to analytical software. That took investigators about two to three days to gather a patient’s personal data to trace their contacts.

The new system digitizes the entire process, including the requests, and can reduce that time to less than an hour, officials say. Investigators can use it to analyse transmission routes and detect likely infection hotspots.

The system has had some teething problems, and has attracted criticism on privacy grounds, but it has been a major factor in the East Asian nation of 52 million keeping virus infections at a relatively low 11,122, as of Thursday, with just 264 deaths.

It got its first test with an outbreak in May, traced to the Itaewon district of Seoul known for its nightlife, which ended up infecting at least 206 people.

“Faster epidemiological survey means faster discovery of potential patients, which helps contain the spread of the virus even when there’s a massive cluster of infections or people who are asymptomatic, as we’ve seen in the nightclub outbreak,” said Yoon Duk-hee, director for infectious disease management in Gyeonggi Province, a densely populated region near Seoul.

Yoon said she and other authorities used the EISS to trace the movements of the first person detected in the Seoul nightclub outbreak, as he visited a number of places including two nightclubs and three bars.

The system is still reliant on humans operating it to approve and upload data, which can lead to delays. And in some cases, concerns over privacy and security have led to access being so restricted that some local officials said they had to rely on old-fashioned methods.

When another infected person — a 25-year-old man known as Incheon Patient 102 — told health authorities that he did not have a job, city officials said they went to the police because the information they wanted to check was not available in a timely manner on the EISS.

The phone’s location data showed he was a teacher at a private academy, where subsequent contact tracing and testing revealed at least 30 other people had been infected, including some of his students and their parents.

“There were limitations to the system,” said an official at the Korea Centers for Disease Control and Prevention (KCDC), on condition of anonymity because he was not authorised to speak to the media. “We are now trying to address them after the Itaewon outbreak.”

The EISS was jointly developed by the KCDC and the Ministry of Land, Infrastructure and Transport, with the help of the Korea Electronics Technology Institute (KETI). Many details of how the system works and some limitations of the programme have not previously been reported. A scientific paper on the system was published in a public health journal only on Wednesday.

Authorities’ power to get information was established by a 2015 law called the Infectious Disease Prevention and Control Act, introduced after the country was hit by Middle East Respiratory Syndrome (MERS).

The law allows South Korean health officials to access a wide range of personal data, including cellphone location information and credit card transactions, without a court order.

While many countries are scrambling to develop smartphone apps that can trace the contacts of patients without revealing detailed personal information, South Korea has forged ahead with a more invasive approach.

The EISS allows an authorised investigator to log in to a secure web portal and send information requests about specific confirmed cases. Police agencies must approve requests for location data from three telecommunications operators, while the Credit Finance Association handles approval for information from 22 credit card companies.

When a request is approved, designated officials at the companies receive alerts on their phones and computers. They then upload individuals’ data in an Excel spreadsheet.

The investigator then has temporary access to the information to conduct analysis. There are usually more than 10,000 location data points for each person in a typical 14-day period being analysed, according to the KCDC.

An EISS web portal seen by Reuters showed an interactive map displaying patient movements, with each location data point indicating whether it was collected via credit card or cellphone.

The government says access is restricted and authorized investigators must log in through a virtual private network (VPN) and use two-factor authentication to prevent security breaches.

Officials told Reuters that developers of the system had considered using surveillance footage and even facial recognition as part of the data the system could access, but decided against it because of privacy concerns. While CCTV is not accessed or uploaded to the EISS portal, health investigators still widely use such footage to track cases.

“We spent more time agonising over privacy than on developing the system,” said Park Young-joon, a director at the KCDC.

Still, the system has raised concerns over its use of private data.

“It represents a rare non-judicial, non-consensual acquisition of location data, with no judicial oversight for the data collected,” said Deborah Brown, a digital rights researcher with the US-based Human Rights Watch. “There’s a concern that the door is open to abuse.”

South Korean officials told Reuters that data on almost every person confirmed to have the virus is entered into the system to allow cross-referencing and analysis of likely hotspots. The KCDC declined to say how many people’s data has been collected in all.

People do not have any choice whether their data is collected and accessed, but officials told Reuters that authorities notify anyone whose information is gathered and that all the data will be deleted when the virus is contained.

“Such information should only be used for crises like infectious diseases,” said Gyeonggi Province Governor Lee Jae-myung. “But thankfully our people understand that it is inevitable in battling the pandemic.”

At a national or global level, lives are more important than personal privacy, said a 64-year-old South Korean woman who asked only to be identified by her surname Jang. “Personal privacy is important, but preventing an infectious disease is even more so.”

Some local health investigators said that access to the EISS has been too restricted or too slow, so they have gone back to traditional ways of requesting data.

One Incheon health official told Reuters the city did not initially use EISS on Incheon Patient 102 because it took too long to get the person registered.

Those concerns have since been addressed by changes that will allow local agencies to register patients themselves rather than waiting for the KCDC, said Kim Jae-ho, a director at KETI.

Travel information and medical records may be added to the system, two people working on the project told Reuters. South Korean health ministry official Yoon Tae-ho said at a briefing that they are also looking at the use of Bluetooth and QR codes to log places people visit — such as nightclubs.

There was “an inertia in administrative process,” the first KCDC official told Reuters. “But now I am swamped with calls from the local governments about how to use the system.”